Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continuous "reality tour" of meetings with customers, ISVs and Microsoft.

Monday, December 17, 2007

Google's identity problems

In the early days of Google Apps the only way to sign up was by linking to an existing Google Account, in the format of myname@gmail.com. If you have one of those accounts, there is no way to tell Google that you are now myname@mydomain.com. This means that Google Apps think of your original @gmail and new, @domain identities and two different ones. You can directly access (via URL) your own Calendar, Docs, Groups ..etc. all under your own domain, however, programs that need to access those apps only find the other version, attached to your @gmail.com account. A simple example is trying to save an event from Upcoming.org, Zvents, or any other services: there’s no way to use them with your own domain.

Even the Google Groups is messed up: when I am logged in as myname@mydomain.com, Groups that I am a member of won’t recognize me. I actually have to have duplicate identities created in Google Groups: one to be able to send email (my own domain) and one to be able to access Group’s other features via the browser (@gmail format).

I'm not positive about this but I wonder if a federation-based solution using something like Microsoft's CardSpace on the front-end would help. That said, the bigger issue is the Google "namespace" on the back-end. I wonder if their directory supports aliasing? I think the ability for an end-user to have multiple aliases might solve the problem - user provisioned, of course. I'm sure Google isn't using Active Directory as their back-end server. Good thing because it doesn't support the concept of aliases. If Google wants to enable federation for their customers they have to solve this problem.

Does that truly "solve" the problem? I like the idea of having two or more faces - my Google business face, my personal face, etc. And, being able to move between them and authorize one to see parts/all of the other.

What happens when my association with Quest ends? I have to spin out a gmail account and start over again?

I like the fact that I have both an @Quest.com instant messaging account and an @Hotmail.com one and both are signed into from the IM application.

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not represent those of my employer or anyone else for that matter. View this blog's privacy policy here.16 CFR § 255.5 disclosure: I am an employee of Quest Software.